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Remarks 

Claims 1, 3, 5-14, 16, 18-27, 29, 31-39, 42-48 and 51-58 are pending in this 
application. Claims 1, 14, 27 and 58 have been amended in various particulars as 
indicated hereinabove. Claims 4, 17, and 30 have been cancelled without prejudice or 
disclaimer. 

Claims 1, 3-14, 16-27, 29-39, 42-48 and 51-58 were rejected under 35 U.S.C. 
103(a) as being unpatentable over Malan et al. (US PGPUB 2002/0032871, hereinafter 
"Malan Application") in view of Poletto et al. (US PGPUB 2002/0032880, hereinafter 
"Poletto Application"). This rejection is respectfully traversed for the following reasons. 

Each of the independent claims has been amended to include subject matter based 
on original claim 4, for example. Thus, the claims now require that the "differential 
characteristics [are] based on differential characteristics between request packets routed 
out of said network domain, and response packets routed into the network domain." 

The new limitation is directed to the notion of monitoring incomplete flows, i.e., 
requests without corresponding response packets. This is used to determine the existence 
of a denial of service attack since the implication is that the receiving computers are 
overwhelmed, being unable to keep up with the requests. 

The pending action takes the position that the Malan Application does not teach 
this functionality. Specifically, the pending Action, at page 4, provides: 

7. Malan does not show wherein said monitor makes said determination based on 
differential characteristics of network traffic routed out of said first network domain 
relative to network traffic routed into said first network domain. 

For relevant teachings, page 15 of the 60/230,759 application, parent to the 
Poletto Application, is cited. The following section from page 15 appears to be the most 
relevant: 
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Referring to FIG. 9, the monitoring process in the 
gateway 2 6 can examine 82 a ratio of ingoing to outgoing 
number of TCP packets for a particular set of machines, 
e.g. web servers . The monitoring process can compare 84 
the ratio to a threshold value. The monitoring process can 
store 86 this ratio, time stamp it, etc. and conduct an 
ongoing analysis 88 to determine over time for example tow 
much and how often it exceeds that ratio. As the ratio 

This section merely provides that the ratio of incoming to outgoing packets is 
kept. Nothing suggests keeping the differential characteristics between request packets 
routed out of the network domain, and response packets routed into the domain. 

Monitoring at the level of response to request packets, however, has the potential 
to provide better operation since a direct measure of the degree of overloading is 
generated and can be distinguished from the situation of machines simply downloading 
data in a largely one-way, albeit typical, operation. 

For this reason, the pending claims contain features not present in the applied 
references and should be deemed patentably distinguishable over those references. 

It is believed that the present application is in condition for allowance. A Notice 
of Allowance is respectfully solicited. Should any questions arise, the Examiner is 
encouraged to contact the undersigned. 

Respectfully submitted, 

By /grant houston/ 

J. Grant Houston 
Registration No.: 35,900 
Tel.: 781 863 9991 
Fax: 781 863 9931 

Lexington, Massachusetts 02421 
Date: December 6, 2007 
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